Add tests for installing with empty PKCS#12 password

ipatests/test_integration/test_caless.py

@@ -163,9 +163,9 @@ class CALessBase(IntegrationTest):
             '--forwarder', host.config.dns_forwarder,
         ]
 
-        if http_pin:
+        if http_pin is not None:
             args.extend(['--http_pin', http_pin])
-        if dirsrv_pin:
+        if dirsrv_pin is not None:
             args.extend(['--dirsrv_pin', dirsrv_pin])
         if unattended:
             args.extend(['-U'])
@@ -231,9 +231,9 @@ class CALessBase(IntegrationTest):
             args.extend(['--http_pkcs12', http_pkcs12])
         if dirsrv_pkcs12:
             args.extend(['--dirsrv_pkcs12', dirsrv_pkcs12])
-        if http_pin:
+        if http_pin is not None:
             args.extend(['--http_pin', http_pin])
-        if dirsrv_pin:
+        if dirsrv_pin is not None:
             args.extend(['--dirsrv_pin', dirsrv_pin])
 
         args.extend([replica.hostname])
@@ -277,14 +277,16 @@ class CALessBase(IntegrationTest):
         return replica.run_command(args)
 
     @classmethod
-    def export_pkcs12(cls, nickname, filename='server.p12'):
+    def export_pkcs12(cls, nickname, filename='server.p12', password=None):
         """Export a cert as PKCS#12 to the given file"""
+        if password is None:
+            password = cls.cert_password
         ipautil.run(['pk12util',
                      '-o', filename,
                      '-n', nickname,
                      '-d', 'nssdb',
                      '-K', cls.cert_password,
-                     '-W', cls.cert_password], cwd=cls.cert_dir)
+                     '-W', password], cwd=cls.cert_dir)
 
     @classmethod
     def get_pem(cls, nickname):
@@ -422,7 +424,7 @@ class TestServerInstall(CALessBase):
         with open(self.pem_filename, 'w') as f:
             f.write(self.get_pem('ca1'))
 
-        result = self.install_server(http_pin=False)
+        result = self.install_server(http_pin=None)
         assert_error(result,
                      'ipa-server-install: error: You must specify --http_pin '
                      'with --http_pkcs12')
@@ -434,7 +436,7 @@ class TestServerInstall(CALessBase):
         with open(self.pem_filename, 'w') as f:
             f.write(self.get_pem('ca1'))
 
-        result = self.install_server(dirsrv_pin=False)
+        result = self.install_server(dirsrv_pin=None)
         assert_error(result,
                      'ipa-server-install: error: You must specify '
                      '--dirsrv_pin with --dirsrv_pkcs12')
@@ -679,7 +681,7 @@ class TestServerInstall(CALessBase):
 
         stdin_text = get_install_stdin(cert_passwords=[self.cert_password])
 
-        result = self.install_server(http_pin=False, unattended=False,
+        result = self.install_server(http_pin=None, unattended=False,
                                      stdin_text=stdin_text)
         assert result.returncode == 0
         self.verify_installation()
@@ -695,13 +697,41 @@ class TestServerInstall(CALessBase):
 
         stdin_text = get_install_stdin(cert_passwords=[self.cert_password])
 
-        result = self.install_server(dirsrv_pin=False, unattended=False,
+        result = self.install_server(dirsrv_pin=None, unattended=False,
                                      stdin_text=stdin_text)
         assert result.returncode == 0
         self.verify_installation()
         assert ('Enter server.p12 unlock password:'
                 in result.stdout_text), result.stdout_text
 
+    def test_no_http_password(self):
+        "IPA server install with empty HTTP password"
+
+        self.export_pkcs12('ca1/server', filename='http.p12', password='')
+        self.export_pkcs12('ca1/server', filename='dirsrv.p12')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        result = self.install_server(http_pkcs12='http.p12',
+                                     dirsrv_pkcs12='dirsrv.p12',
+                                     http_pin='')
+        assert result.returncode == 0
+        self.verify_installation()
+
+    def test_no_ds_password(self):
+        "IPA server install with empty DS password"
+
+        self.export_pkcs12('ca1/server', filename='http.p12')
+        self.export_pkcs12('ca1/server', filename='dirsrv.p12', password='')
+        with open(self.pem_filename, 'w') as f:
+            f.write(self.get_pem('ca1'))
+
+        result = self.install_server(http_pkcs12='http.p12',
+                                     dirsrv_pkcs12='dirsrv.p12',
+                                     dirsrv_pin='')
+        assert result.returncode == 0
+        self.verify_installation()
+
 
 class TestReplicaInstall(CALessBase):
     num_replicas = 1
@@ -1006,7 +1036,7 @@ class TestReplicaInstall(CALessBase):
         stdin_text = get_replica_prepare_stdin(
             cert_passwords=[self.cert_password])
 
-        result = self.prepare_replica(http_pin=False, unattended=False,
+        result = self.prepare_replica(http_pin=None, unattended=False,
                                       stdin_text=stdin_text)
         assert result.returncode == 0
 
@@ -1023,7 +1053,7 @@ class TestReplicaInstall(CALessBase):
         stdin_text = get_replica_prepare_stdin(
             cert_passwords=[self.cert_password])
 
-        result = self.prepare_replica(dirsrv_pin=False, unattended=False,
+        result = self.prepare_replica(dirsrv_pin=None, unattended=False,
                                       stdin_text=stdin_text)
         assert result.returncode == 0
 
@@ -1032,6 +1062,36 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    def test_no_http_password(self):
+        "IPA replica install with empty HTTP password"
+
+        self.export_pkcs12('ca1/replica', filename='http.p12', password='')
+        self.export_pkcs12('ca1/replica', filename='dirsrv.p12')
+
+        result = self.prepare_replica(http_pkcs12='http.p12',
+                                      dirsrv_pkcs12='dirsrv.p12',
+                                      http_pin='')
+        assert result.returncode == 0
+
+        result = self.install_replica()
+        assert result.returncode == 0
+
+        self.verify_installation()
+
+    def test_no_ds_password(self):
+        "IPA replica install with empty DS password"
+
+        self.export_pkcs12('ca1/replica', filename='http.p12')
+        self.export_pkcs12('ca1/replica', filename='dirsrv.p12', password='')
+
+        result = self.prepare_replica(http_pkcs12='http.p12',
+                                      dirsrv_pkcs12='dirsrv.p12',
+                                      dirsrv_pin='')
+        assert result.returncode == 0
+
+        result = self.install_replica()
+        assert result.returncode == 0
+
 
 class TestClientInstall(CALessBase):
     num_clients = 1
@@ -1174,9 +1234,10 @@ class TestCertinstall(CALessBase):
         tasks.kinit_admin(cls.master)
 
     def certinstall(self, mode, cert_nick=None, cert_exists=True,
-                    filename='server.p12', pin=_DEFAULT, stdin_text=None):
+                    filename='server.p12', pin=_DEFAULT, stdin_text=None,
+                    p12_pin=None):
         if cert_nick:
-            self.export_pkcs12(cert_nick)
+            self.export_pkcs12(cert_nick, password=p12_pin)
         if pin is _DEFAULT:
             pin = self.cert_password
         if cert_exists:
@@ -1364,3 +1425,15 @@ class TestCertinstall(CALessBase):
                                   pin=None,
                                   stdin_text=self.cert_password + '\n')
         assert result.returncode == 0
+
+    def test_no_http_password(self):
+        "Install new HTTP certificate with no PKCS#12 password"
+
+        result = self.certinstall('w', 'ca1/server', pin='', p12_pin='')
+        assert result.returncode == 0
+
+    def test_no_ds_password(self):
+        "Install new DS certificate with no PKCS#12 password"
+
+        result = self.certinstall('w', 'ca1/server', pin='', p12_pin='')
+        assert result.returncode == 0